Why would you go to such drastic measures when you can encrypt your wallet with a passphrase using the bitcoin client?Choose a decent passphrase and you're good to go.Just please make sure your machine stays malware-free, ok?

Remember that if your main machine gets infected, a VM running inside it might not protect you.A VM can be used with great success to contain a threat, not to keep a threat already present in the parent machine outside.

There is no gain in keeping the block chain on a volatile FS and re-downloading it all the time.Keep the block chain on the persistent FS and limit your worries to the wallet file.

Also, why make the wallet file read-only??The client will want to write changes to your wallet with every transaction you make and "read" is the only privilege the malware really needs.

If built-in AES encryption doesn't seem enough, you could always use TrueCrypt and mount your Serpent-Twofish-AES-encrypted wallet using the command line.Alternatively, you could keep the wallet on a LUKS-encrypted volume. This way you can have multiple keys and revoke them if necessary.Or, use the good-old gpg for securing the wallet further.There are countless possibilities.